ethereal & netstumbler

Re: ethereal & netstumbler

NetStumber is a stumbler, not a sniffer. It doesn't capture packets, it only
locates networks.

Neither NetStumbler nor Ethereal work very well on XP, at least not with
vendor's drivers for wireless NICs. So, if you're using the XP version,
don't count on much. I plan to set this stuff up on a Linux laptop when I
get the time.

Ethereal runs over a packet capture library called Winpcap that has to be
able to put your NIC in promiscuous mode to see "raw" network data - that
is, all packets on the net. Winpcap is not able to do this with the NDIS
drivers for many wifi cards on XP. If you start an Ethereal capture dialog,
disable "promiscuous", and it will capture the local TCP/IP traffic from the
NDIS driver only. It will look like Ethernet traffic, but that's only
because the NDIS driver makes it look that way. You can't see the 802.11
frames at all.

NetStumbler appears to work, but it's really pretty broken. Go to
www.netstumbler.org and read the FAQs. Also read the readme that comes with
the XP NetStumbler install. It lists a bunch of wifi NICs that it does *not*
support. These include my D-Link adapter. NetStumbler sometimes seems to
work for me, other times fails completely. The FAQ indicates that the actual
SNR measurement it gives is not trustworthy on XP.

Re: ethereal & netstumbler

Re: ethereal & netstumbler

"han" <nl> wrote in message
news:3f9eb7b8$0$37457$news.xs4all.nl...

First off, you need to be clear about what you want.

A stumbler, like NetStumbler, only finds networks. It does not capture
packets or crack WEP keys.
A sniffer, like Ethereal, finds networks and captures packets, but does not
attempt to crack WEP keys.
A cracking tool, like AirSnort, captures packets and attempts to crack WEP
keys.

A stumbler is "polite" and always legal. A sniffer is perfectly okay applied
to your own private net, but if you take it out wardriving you're on the
edge of the law. A cracking tool is perfectly legit when used in your own
network, but if you get stopped by a cop while driving around with this
software on your laptop, it doesn't look good.

For network discovery, I think my D-link site survey tool works better than
NetStumbler, at least on XP. I'd really like to have a sniffer that works on
XP, but I haven't found one yet.

There are lots of freeware tools out there, but most were developed for the
PRISM chipset, which is widely-deployed. My D-link has an Atheros chipset,
so I'm currently out of luck. Plus, any utility written to run over WinPcap
apparently has problems with raw mode over a large variety of wifi NICs on
XP. You will have to read the WinPcap FAQ to find out if your NIC is
supposed to be supported.

There may be non-freeware sniffers that will work for you, especially if
they provide their own drivers. Just do a net search, and if you find one
that works, let me know!

Re: ethereal & netstumbler

I just found a commercial Windows XP packet sniffer, AiroPeek NX, that
claims to support my NIC. Cheapest price is $3995.00. The older version,
AiroPeek, *probably* supports my NIC, cheapest price $995.00. They give you
a web-downloadable 30-day free demo, if you want to deal with their sales
people. Since I have no intention of buying, I'm not going to waste their
time. BTW, the AirSnort web page mentions an effort to use the driver
downloaded by this demo package to get AirSnort working over Atheros chipset
NICs. That's clever, but pretty clearly a license violation.

Here's a useful white paper discussing wifi promiscuous mode issues. I found
it at the linkferret site (another commercial sniffer that does *not*
support my NIC):

http://www.linkferret.ws/wireless/promiscuous.htm

"han" <nl> wrote in message
news:3f9eb7b8$0$37457$news.xs4all.nl...
I
be
that
netstumbler